Security zones developed to meet such requirements may be scattered throughout the network and may even overlap one another. An example of this is presented in Figure 9.14. In this figure five security zones are shown, based on different security requirements. The first zone (Security Level 1) covers the entire network and is intended to provide a general level of security for all users, applications, and devices. This may include intrusion detection and logging. The second zone (Security Level 2) Architectural Considerations 379 User Devices User Devices User Devices Security Level 1: Lowest Security Level 3: Highest Security Level 2: Medium Core Distribution Distribution Access Access Access FIGURE 9.13 Security Zones Embedded within Each Other User Devices User Devices User Devices Security Level 1: General External Networks Internet Security Level 2: External Security Level 4: Groups A and B User Devices Servers Security Level 5: Servers Network C Network D Network E Network F Network G Network A Network B Security Level 3: Group D FIGURE 9.14 Developing Security Zones throughout a Network 380 CHAPTER 9 Security and Privacy Architecture provides a higher level of security between this network and all external networks. This may include NAT and firewalls. The third zone (Security Level 3) provides another level of security for an entire group of users, applications, and devices (Group D), whose security requirements are different from the rest of the network. For example, this group may handle financial and proprietary information for the company. The fourth zone (Security Level 4) provides security for a subset of users, applications, and devices from multiple groups (Groups A and B). These are select users, applications, and devices whose security needs are different from others in their groups. For example, they may be working on companyclassified projects, producing data that need to be protected from the rest of the groups. The third and fourth zones may apply mechanisms to protect their data, such as encryption, and may have access protection via firewalls and packet filtering. The fifth zone (Security Level 5) is security for devices used by multiple users, such as servers. This zone may employ monitoring, logging, and authentication to verify user access. Figures 9.12, 9.13, and 9.14 show how security mechanisms may be applied in a network to achieve multiple security levels or zones. 9.6.2 Internal Relationships Interactions within the security architecture include tradeoffs, dependencies, and constraints among each of the security mechanisms for your network. For example, some security mechanisms require the ability to look at, add to, or modify various information fields within the packet. NAT changes IP address information between public and private address domains. Encryption mechanisms may encrypt information fields, making them unreadable to other mechanisms.